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DETAILED ACTION 



Notice to Applicant(s) 



1 . This application has been examined. 
Claims 1-20 are pending. 



Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

3. Claims 1-20 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Applicant's Admission of Prior Art (Pub. No. 2005/0114655 A1), hereinafter AAPA, in 
view of Cheriton (USPN 7,149,216), hereinafter Cheriton, and further in view of Non- 
Patent Literature Security Overview (by Instructor Joonwon Lee), hereinafter Lee. 

a. Per claim 1 , AAPA discloses a method of generating a representation of 
an access control list (See pg. 1 paragraph [0003] where routers or switches 
typically utilize ACLs.), the representation being utilizable in a processor (See pg. 1 
paragraph [0004] where network processors are used.), the method comprising the 
steps of: 



Application/Control Number: 1 0/723, 1 60 Page 3 

Art Unit: 2168 

determining a plurality of rules of the access control list, each of at least a subset 
of the rules having a plurality of fields and a corresponding action (See page 1 
paragraph [0003] where an ACL generally comprises a set of rules, the rules 
having fields and corresponding actions.)- 

AAPA does not explicitly disclose processing the rules to generate a multi-level 
tree representation of the access control list, each of one or more of the levels of the 
tree representation being associated with a corresponding one of the fields; and 
wherein at least one level of the tree representation comprises a plurality of nodes. 

However, Cheriton discloses the ACL having rules compiled into an ACL-M-trie 
Plus data structure having multiple levels, and each level having of a plurality of nodes 
being associated with fields, the fields included source and destination addresses (See 
col. 2 lines 15-18 and 35-37, and col. 4 lines 5-9 where M-trie Plus data structure is 
a multi-level tree.). 

At the time of the invention, it would have been obvious to a person of ordinary 
skill in the art of generating Access Control Lists (ACLs) (AAPA) to generate a multi- 
level tree representation of the access control list as taught by Cheriton. The motivation 
would have been to provide a faster way of traversing the ACL due to earlier methods 
being relatively slow (See col. 1 lines 39-46 of Cheriton.). 

AAPA in view of Cheritan does not explicitly disclose that with two or more of the 
nodes of a level having a common subtree, the tree representation including only a 
single copy of that subtree; the tree representation being characterizable as a directed 
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graph in which each of the two nodes having the common subtree points to the single 
copy of the common subtree. 

However, Lee discloses two or more of the nodes of a level of a tree in a directed 
graph representation having a common subtree pointing to a single copy of the common 
subtree (See pg. 12 where a plurality of nodes 'x & y' at one level points to one 
node 'y'.). 

At the time of the invention, it would have been obvious to a person of ordinary 
skill in the art of generating Access Control Lists (ACLs) in a multi-level tree 
representation (AAPA and Cheritan) to have two or more of the nodes of a level of the 
tree in a directed graph representation having a common subtree pointing to a single 
copy of the common subtree as taught by Lee. The motivation would have been to 
optimize the ACL representation by improve speed further and reduce redundancy (See 
pg. 9 of Lee where slow access of the list is a disadvantage.). 

b. Per claim 2, AAPA in view of Cheritan and Lee discloses the method of 
claim 1 wherein the common subtree is implemented at least in part as a matching table 
(AAPA See pg. 1 paragraph [0009] where ACL rules are stored in table format. 
Also see [0003] where ACL typically imply an ordered matching or ordered list of 
AAPA.). 

c. Per claim 3, AAPA in view of Cheriton and Lee discloses the method of 
claim 1 wherein the plurality of fields comprises at least first and second fields, the first 
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field comprising a source address field and the second field comprising a destination 
address field (See pg. 1 paragraph [0003] where fields define source and 
destination addresses of Cheriton.). 

d. Per claim 4, AAPA in view of Cheriton and Lee discloses the method of 
claim 1 wherein a final level of the tree representation comprises a plurality of leaf 
nodes, each associated with one of the actions of the plurality of rules (See col. 2 lines 
35-42, col. 3 lines 53-63, and col. 4 lines 5-9 of Cheriton where second level of 
nodes of the addresses is associated with routing rules.). 

e. Per claim 5, AAPA in view of Cheriton and Lee discloses the method of 
claim 1 wherein the at least one level of the tree representation comprises a root level of 
the tree representation (See col. 4 lines 1-4 of Cheriton where tree , including roots; 
i.e. root level.). 

f. Per claim 6, AAPA in view of Cheriton and Lee discloses the method of 
claim 5 wherein a second level of the tree representation includes a plurality of nodes, 
each being associated with a subtree of a given one of the plurality of nodes of the root 
level of the tree representation (See above in claim 1 where Lee teaches root level 
of nodes points to one particular subtree.,). 
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g. Per claim 7, AAPA in view of Cheriton and Lee discloses the method of 
claim 1 wherein for each level of the tree representation that corresponds to a field of a 
rule of the access control list (See Cheriton col. 4 lines 35-41 where first and second 
levels corresponding to fields including source and destination address.), a 
master list of nodes is maintained, each node comprising at least one of information 
characterizing one or more field values associated with that node (See Cheriton col. 3 
lines 53-67 where extended ACL List is master list ), one or more subtree pointers 
for that node, and a reference count indicating how many ancestor nodes are pointing to 
that node (See Cheriton col. 3 lines 46-51 where oppointer includes pointers for a 
node and opcode; i.e. subtree pointers and a reference count). 

h. Per claim 8, AAPA in view of Cheriton and Lee discloses the method of 
claim 7 wherein the tree representation is generated by sequentially processing the 
rules of the access control list, the processing for a given rule comprising applying 
values of fields of the given rule to one or more existing nodes of the tree representation 
(See col.1 lines 55-59 and col. 2 lines 15-19 of Cheriton for access control list 
processing.), and wherein when a particular value of a field of the given rule is applied 
to a given node (See col. 2 lines 35-43 where sequence of nodes have applied 
source and destination address values, see col. 4 lines 5-9.). 

AAPA in view of Cheriton and Lee does not explicitly disclose a copy is made of 
the node, the field value is applied to the copied node, and the resultant updated node 
is added to the master list of the corresponding level. However it is obvious over the 
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directed graph ACL tree structure of Lee that a copy must be made of a node to 
compare nodes in order to ultimately reduce the number of nodes to fewer nodes in 
order to improve traversal speed of the structure which is well known in the art (See Lee 
pg. 9 advantages and disadvantages.). 

i. Per claims 9, AAPA in view of Cheriton and Lee discloses the method of 
claim 8 wherein the updated node is compared with other nodes of the master list and if 
a duplicate node is found, the copied node is deleted and a pointer to the duplicate 
node is provided to an ancestor node that points to the given node, a subtree pointer of 
the ancestor node is updated to the duplicate node pointer, a reference count of the 
duplicate node now pointed to by the ancestor node is incremented and a reference 
count of the given node previously pointed to by the ancestor node is decremented (See 
Lee for subtree on pg. 12 where a plurality of nodes 'x & y' at one level points to 
one node 'y\ where 'y' ' s interpreted as common subtree node remaining after 
copied nodes are deleted. See Cheriton on col. 3 lines 46-51 for oppointers, i.e. 
pointers.). 

j. Per claims 10, AAPA in view of Cheriton and Lee discloses the method of 
claim 9 wherein if a duplicate node is found in the master list, that duplicate node is 
moved to an initial position in the master list (See Lee on pg 12 where duplicates of x 
and y are given.). 
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k. Per claims 1 1 , AAPA in view of Cheriton and Lee discloses the method of 
claim 7 wherein for each node in the master list (See Cheriton were master list is 
extended ACL list), a copy pointer is maintained, and wherein when a copied node is 
compared to the master list and a duplicate node is found, the copied node is added as 
a copy to the master list for use in conjunction with the processing of a subsequent rule 
(See Lee on pg 12 where duplicates of x and y are given. See AAPA for ACL 
rules.) 

I. Per claims 12, AAPA in view of Cheriton and Lee discloses the method of 
claim 7 wherein for each node in the master list (See Cheriton col. 3 lines 64-66 
where extended ACL list is master list), a signature is maintained in order to facilitate 
node comparisons, a full comparison of node subtrees being performed only if a match 
is obtained between node signatures (See Lee pg. 12 for common subtree node.). 

m. Per claims 13, AAPA in view of Cheriton and Lee discloses the method of 
claim 12 wherein the signature for a given node is generated as a function of at least 
one of a field value and a subtree pointer (See Cheriton col. 3 lines 46-51 for subtree 
pointer; i.e. oppointer and col. 4 lines 5-10 for field values; i.e. source and 
destination address.). 

n. Per claim 14, AAPA in view of Cheriton and Lee discloses the method of 
claim 1 wherein the corresponding actions include at least an accept action and a deny 
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action (See rejection of claim 1 above where an accept or deny action is involved 
in routing the packets.). 

« 

o. Per claim 15, AAPA in view of Cheriton and Lee discloses the method of 
claim 1 further including the step of storing at least a portion of the tree representation in 
memory circuitry accessible to the processor (See AAPA pg. 1 paragraph [0007] 
where memory is taught.). 

p. Per claim 16, AAPA in view of Cheriton and Lee discloses the method of 
claim 1 further including the step of utilizing the stored tree representation to perform an 
access control list based function in the processor (See AAPA pg. 1 paragraph [0004] 4 
for utilizing in the network processor, [0007] for memory, and Cheriton col. 2 lines 
15-20 for stored tree structure.). 

q. Per claim 17, AAPA in view of Cheriton and Lee discloses the method of 
claim 16 wherein the access control list based function comprises packet filtering (See 
AAPA pg. 1 paragraph [0004] where packet filtering is taught). 

r. Per claim 18, rejection of claim 1 is incorporated. Claim 18 is rejected 
under the same rationale as claim 1 . AAPA in view of Cheriton and Lee discloses an 
apparatus configured for performing one or more processing operations utilizing a 
representation of an access control list, the access control list comprising a plurality of 
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rules, each of at least a subset of the rules having a plurality of fields and a 
corresponding action (See AAPA paragraph [0003] for ACL comprising rules having 
fields.), the apparatus comprising: 

a processor having memory circuitry associated therewith (See AAPA pg. 1 
paragraph [0004] for network processors and [0007] for memory circuitry.); 

the memory circuitry being configured for storing (See AAPA pg. 1 [0007] for 
memory circuitry) at least a portion of a multi-level tree representation of the access 
control list, each of one or more of the levels of the tree representation being associated 
with a corresponding one of the fields (See Cheriton cols. 2 lines 35-44 for levels of 
muiti-level tree representation of ACL.); 

the processor being operative to utilize the stored tree representation to perform 
an access control list based function (See AAPA pg. 1 paragraph [0004] for network 
processors in view of Cheriton cols. 2 lines 35-44 for tree representation to 
perform ACL function.) 

wherein at least one level of the tree representation comprises a plurality of 
nodes (See col. 2 lines 15-18 and 35-37, and col. 4 lines 5-9 of Cheriton where M- 
trie Plus data structure is a multi-level tree.), 

with two or more of the nodes having a common subtree, the tree representation 
including only a single copy of that subtree; the tree representation being 
characterizable as a directed graph in which each of the two nodes having the common 
subtree points to the single copy of the common subtree (See pg. 12 of Lee where a 
plurality of nodes 'x & y' at one level points to one node y .). 
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Further see rejection of claim 1 for rationale of rejection to claim 18. 

s. Per claim 19, rejection of claim 18 is incorporated. AAPA in view of 
Cheriton and Lee discloses the apparatus of claim 18 wherein the memory circuitry 
comprises at least one of internal memory and external memory of the processor (See 
AAPA paragraph [0007] memory circuitry and [0004] for processor.) 

t. Per claim 20, rejection of claim 1 is incorporated. Claim 20 is rejected 
under the same rationale as claim 1 . AAPA in view of Cheriton and Lee discloses an 
article of manufacture comprising a machine-readable storage medium having program 
code stored thereon, the program code generating a representation of an access control 
list, the representation being utilizable in a processor (See AAPA pg. 1 paragraph 
[0003] for ACL [0004] for processor, and [0007] for article of manufacture 
comprising machin-readable storage medium, i.e. memory.), wherein the program 
code when executed implements the steps of: 

determining a plurality of rules of the access control list, each of at least a subset 
of the rules having a plurality of fields and a corresponding action (See AAPA page 1 
paragraph [0003] where an ACL generally comprises a set of rules, the rules 
having fields and corresponding actions.); and 

processing the rules to generate a multi-level tree representation of the access 
control list, each of one or more of the levels of the tree representation being associated 
with a corresponding one of the fields; wherein at least one level of the tree 
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representation comprises a plurality of nodes (See Cheritan where col. 2 lines 15-18 
and 35-37, and col. 4 lines 5-9 where M-trie Plus data structure is a multi-level 
tree.), 

with two or more of the nodes of that level having a common subtree, the tree 
representation including only a single copy of that subtree; the tree representation being 
characterizable as a directed graph in which each of the two nodes having the common 
subtree points to the single copy of the common subtree (See Lee pg. 12 where a 
plurality of nodes 'x & y' at one level points to one node 'y'.). 

Further see rejection of claim 1 for rationale of rejection to claim 20. 

Conclusion 

4. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Valois et al. (US PUB 2004/020818) for elimination of redundancy with ACL 

rules. 

5. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Carlene Gordon whose telephone number is (571) 272- 
1951 . The examiner can normally be reached on 8:30 AM - 5:00 PM EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Tim Vo can be reached on (571) 272-3642. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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6. Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 




Carlene Gordon 
Patent Examiner 
Art Unit 2168 





